Threat analysis is a central component of secure product development. With a structured approach, we help you to identify and evaluate potential threats in a practical, comprehensible and repeatable manner. From this, effective measures can be derived to reduce risks to an acceptable level. Standards such as IEC 62443, AAMI TIR57 or EN 303645 as well as regulations such as Machinery Regulation, Cyber Resilience Act and the Medical Devices Regulation require this step. In future, threat analysis will be a prerequisite for the market approval of many products.
Threat & Risk Assessment (TRA)
Safety vs. security
How are the terms related?
Safety (functional safety) has long been a key product feature in many industries. Protecting people and the environment from the system is and remains highly relevant. The term security, on the other hand, is used to describe the protection of the system from malicious actors (cyber security). Due to the increased networking capabilities of products and systems, these components are more exposed and attacks are increasingly likely. Because a security incident can also have consequences in terms of safety, it is now essential to consider both disciplines. There are also similarities, such as the fact that 100% protection must unfortunately be ruled out for both.
While there are proven metrics for safety that can be used to assess risks (especially the probability of occurrence), this is more difficult in security due to the dynamics and complexity of the environment. New vulnerabilities that could potentially make a system exploitable become known every day. As a result, a security analysis is not a one-off activity, but a recurring task.
With our proven methodology, we help you to get a comprehensible, realistic assessment of your product security and show you which controls make most sense.
Threat analysis with the Limes Security method
Conducting a threat analysis is a new and often challenging task for many organizations – especially if there are no previous experiences, no established procedures or references. This makes it all the more important to create an analysis that is not only comprehensible but also reliable. This is precisely where we at Limes Security come in with our Product & Solution Security services:
Whether reviewing an existing analysis or jointly developing an initial threat analysis based on a specific product – we are happy to support you with our expertise. Our methodology can be used freely, adapted or used as the basis for your own approaches – whatever suits your company best.
Proven in practice & flexible
More than ten years of product & solution project experience show that the method can be seamlessly adapted to any product and team.
Efficient & scalable
In a one-day workshop, we will guide you through the method and create the first analysis for your product.
Standards-compliant & audit-ready
The analysis results comply with current safety and industry standards and can be transparently documented at any time.
The Limes Security method
Threat analysis in 9 steps
The Limes Security Method offers a structured but flexible approach to identifying security risks. The individual steps are usually run through in sequence – but can also be skipped or repeated depending on the discussion.
Before we start, we create a common understanding – as the foundation for an effective analysis:
- Who should take part in a threat analysis?
It may sound simple, but it is of course important to involve the RIGHT participants. These include, for example, project managers, architects, developers, security experts and, if applicable, service technicians, suppliers or customer representatives.
- What information should be available?
Relevant information is prepared, including product descriptions, system overviews, physical and logical interfaces, data flows, network zones, security requirements and previous analysis results.
White paper: Everything you need to know about the CRA
We – Limes Security and Ginzinger Electronics – have pooled our expertise to give you a clear overview of the requirements of the CRA – including specific recommendations for practical implementation.
